The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (the Bill)1 was introduced into the House of Representatives by Communications Minister Malcolm Turnbull on 30 October 2014. The Bill seeks to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act), and the Telecommunications Act 1997 (Telecommunications Act). The primary amendments would require telecommunications service providers (which would include internet service providers (ISPs)) to retain prescribed telecommunications data.
Why are the changes being introduced?
The TIA Act provides Australia's national security and law enforcement bodies with the tools to obtain certain information to assist in their investigation and prosecution of serious crimes (including murder, child pornography or threats to national security). It also plays a key role in cyber security and organised crime investigations.
Under the TIA, these enforcement bodies may seek access to information held by communications providers. Importantly this includes telecommunications data – which simply put means the information about a communication. This might include, for example, phone numbers, email addresses, the length of a call or the time and date it was made.
Currently the TIA Act does not regulate specifically the type of data or the length of time it needs to be retained. This, and the evolving technology and business practices in this area, have led to our enforcement agencies expressing concern as to the lack of available data and that this acts to hinder their investigations of serious crimes.
In June 2013, the Parliamentary Joint Committee on Intelligence and Security reported on proposed reforms in respect of Australia's National Security Legislation. The report detailed recommendations as to a proposed compulsory data retention scheme (and associated issues), in order to address the detrimental effect on Australia's law enforcement and national security capabilities in not having this information available. What information will be retained? Generally speaking, the type of data the Bill seeks to have retained is “telecommunications” data, or “metadata”, which is generally defined as information about a communication, but not its content. Whilst the Bill does not provide a set definition of what metadata is to be retained, Attorney-General Senator the Honourable George Brandis QC outlined in the Explanatory Memorandum to the Bill2 that the information to be retained will include:
- The identity of the subscriber to a service;
- The source and destination of a communication;
- The date, time and duration;
- The type of communication; and
The location of the equipment used. In relation to telephone communications, metadata could, for example, reveal that one number belonging to a particular account was connected to another number at a certain time and duration. It will not reveal the content of what was discussed.
In relation to internet communications, metadata could include an IP address which may have been detected to have been engaged in unlawful activity. In relation to email communications, metadata may include information such as the sender, recipient, time and date of an email. It will not reveal the content of the email.
What information will not be retained?
There have been many concerns from industry bodies and the Australian public as to whether or not the Bill will however encroach upon Australia's privacy laws. In August 2014, Prime Minister Tony Abbott indicated (in a television interview) that the information might be used to assist with "general crime" matters and that the information retained might include the sites visited by a person on the internet. These comments caused considerable discussion about the precise intent and content of the proposed Bill, the data it would in fact capture and concerns as to the wide net it seemed to cast and encroachment on privacy of individuals. On 30 October 2014, the Minister for Communication in his Second Reading Speech stated that service providers would not be required to retain the content or substance of any communication, including subject lines of email communications or posts on social media sites. Further, that the Bill, if passed, will not include a requirement to keep or provide access to an individual's web-browsing history. The Bill also would not require service providers to keep detailed location records that could allow an individual's movements to be tracked.
What could the retained information be used for - targeting intellectual property infringement?
As noted above, concerns have been raised that the retained information may be used not just for issues of national security or in respect of very serious crime, but may have a more general application. On 30 October 2014, at the Australian Government's press conference concerning the introduction of the Bill, the following exchange occurred with the Australian Federal Police Commissioner, Andrew Colvin (Commissioner Colvin):
Journalist: Once the legislation is through, could it be used, for example, to target illegal downloads? Those responsible for that?
Andrew Colvin: I haven't even touched on some of the other range of crimes. Absolutely, I mean any interface, any connection somebody has over the internet, we need to be able to identify the parties to that connection. Again, not the content, not what may be passing down the internet. So illegal downloads, piracy… sorry, cyber-crimes, cybersecurity, all these matters and our ability to investigate them is absolutely pinned to our ability to retrieve and use metadata.
The reaction to these statements from the public and relevant stakeholders was immediate and widespread, with suggestions that the data retained under the proposed Bill might be used in very broad range of circumstances. It was raised that this might include civil cases for intellectual property infringement, defamation cases (for example to track down comments made anonymously on blogs or websites) or various other private lawsuits (seeking the retained data by Subpoena for example).
Although the primary purpose of the Bill has been expressed to deal with matters of national security and serious crimes, the issue of what ultimately the extensive database of data might be used for remains an issue of debate.
Other concerns expressed with the retention of data in the manner proposed by the Bill
Various other concerns have been raised in relation to the compulsory retention of data in the manner proposed. These have included:
- The security of the data to be retained and the risk of unauthorised access (particularly in light of recent "hacking", including the SONY incidents);
- The cost of retaining the data and the impact on businesses and consumers (if those costs are passed on for example by ISPs to internet customers); and
- Whether enforcement agencies previously able to access certain data (for example the RSPCA or local councils) without need for a warrant, will be able to do so under the new regime, in circumstances where they are not a prescribed enforcement agency. (Some see this as a concern, others as way of tightening up access to data which has inevitably already been occurring).
On 21 November 2014, the Bill was referred to the Parliamentary Joint Committee on Intelligence & Security (PJCIS). The PJCIS produced its report on 27 February 2015 (of some 360 pages.)3 The report provided 39 recommendations, all of which have been supported by the Australian Government.4 They included a recommendation to make it clear that ISPs were not required to keep web-browsing histories or other destination information (no 7) and the inclusion of the Australian Securities and Investments Commission (ASIC) and the Australian Competition and Consumer Commission (ACCC) as prescribed criminal lawenforcement agencies under the TIA Act (no 20). As to the second of these recommendations, as noted above, some discussion has occurred about the manner in which the new definition of an enforcement agency replaces the existing approach (which basically operates to permit an agency with a function relating to enforcement of laws administering a pecuniary penalty, or protection of public revenue, to have automatic access to certain data). The PJCIS noted in its report that a broad range of agencies would no longer be "enforcement agencies" based on the Bill. In addition to ASIC and the ACCC (which the Government has agreed to now specifically include) those agencies included the Australian Taxation Office, the Department of Defence, the Department of Immigration and Border Protection. We will report on the final adopted list of included enforcement agencies once the Bill has been passed.
Current status of the Bill
The Bill now returns to the House of Representatives for debate. There is pressure by the Abbott Government for the Bill to be passed as soon as possible. Commissioner Colvin recently publically commenting that: “For every day the bill is delayed metadata is disappearing. Without the passage of the bill, law enforcement will be left behind.” 1420658_1.doc 2 Conclusion The Bill and related material cover a broad range of issues which we have only briefly touched on above. We will monitor the progress of the Bill and provide updates in due course.